CVE-2021-21334: containerd environment variable leak
6.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.43586%
CWE
Published
1/31/2024
Updated
1/31/2024
KEV Status
No
Technology
Go
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| github.com/containerd/containerd | go | >= 1.4.0, < 1.4.4 | 1.4.4 |
| github.com/containerd/containerd | go | < 1.3.10 | 1.3.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability was fixed in containerd/cri#1628 and #1629 by modifying environment variable handling in container creation. The commit diffs show changes to environment variable initialization in container spec generation, specifically ensuring environment variables are appended to a new slice rather than potentially reusing a previous container's environment. The CVE description directly matches this code change pattern where environment variables from different containers could be mixed when sharing the same image.